In more evidence of Microsoft's increased interest in security technology, the software company said on Wednesday that it plans to acquire FrontBridge, a provider of secure messaging services. Microsoft plans to use its acquisition of FrontBridge to deliver a secure, highly availabile e-mail service that will be marketed to companies with limited IT resources, Microsoft said in a statement.

In more evidence of Microsoft's increased interest in security technology[...]

If that would continue like "[...] Microsoft's Security-On-The-Top-of-Our-List Division acquired two gazillion bodyguards which hey will make available for hire by Windows customers to provide on-site security." then I still wouldn't be surprised.

Look at the various products and companies that Microsoft has purchased in the past, however, and see just how much "innovation" has been accomplished within the context of those products (or the various former company's respective product lines) since MS acquired them.

Some examples of products acquired (and not developed) by Microsoft would be Visio, Frontpage, PowerPoint, SQL Server, Virtual PC, Hotmail, and of course Internet Explorer and IIS.

That's really the only way to see if it's true in a Microsoft context or not.

The problem as I see it is that they treat security as a technology, a physical thing you can buy. Security is a practice, a way of developing all code with correctness in mind. Buying a band-aid can only do so much good and can only account for the holes that you anticipate. The many unknown holes that are left in the code are not any safer now.

What is the fundamental difference, if a company buys another product, or, if it develops the product?

In both cases, money is being spent. If you develop it, you pay your developers. If you buy it, you pay the money to the other company, the developers of the other company are getting paid.

Same thing.

And, no work is wasted. Why develop a similiar product, if you can buy it already? Why re-invent the wheel? The result and the amount of money-spending (And that counts in the business world) is in both cases the same.

And by the way, I have never heard, that MS bought forcefuly a product, by a hostile take over as example.

What is the fundamental difference, if a company buys another product, or, if it develops the product?

As a programmer who has been invovled in the development and support of software products in both situations, I can tell you one huge potential difference.

In the latter case, the chances are good that the folks who designed and implemented the product are still around to help support it. Also, lessons learned by developing the original product can be used down the road when creating new features for the same product or even when designing/developing/enhancing other products.

In the former case, the folks who created the product may or may not transfer to the new company, and in the latter case all of the above knowledge is lost (and has to be regained slowly by the acquiring company).

One situation can be easy to build on. The other may not be.

Even if the original designers and developers are kept as part of the original team, there are often other team members introduced by the new company who have different ideas about how to do things (along with the tenure to enforce them). Even basic corporate cultures can vary tremendously and have a fairly large impact on the way ideas are generated, on the way projects are staffed/funded, and on the way the ideas are actually implemented as part of a real product.

I'm sure there are cases where the core team was kept together with the purchased product and was able to operate the same way as before, but my guess is those cases are few and far between...

In an increasing number of situations MS cannot develop a similar product or they would face a dozen lawsuits claiming they stole the idea.

It's less messy to just buy the company who owns the technology from the git-go, rather than go thru five years of legal BS only to pay to license the technology.

Suing MS has become an industry of it's own. The only thing keeping open source products out of the court system is the lack of money held by the developers, though you will begin to see cases filed none the less.

The main problem with acquisitions is that the company that innovated in the first place ceases to exist and just becomes another division of the usually bigger and slower moving company.

Never underestimate the effect that a significant change in corporate culture can make. Take for example Computer Associates. They have a history of buying small innovative firms in order to grow and expand their product line. The people, who were once in charge, however lose much of their influence and are subject to the demands of their new upper management who most likely have a different vision for their product.

The product may continue to exist, but it will most likely go in a different direction than the original authors previously intended.

The following is excerpted from an interview with Gregor Freund, the leader of Zone Labs. I would bet that this new email service will be another instance of Microsoft "wanting" to provide a service, but the "temptation" to read the email of their competitors or other companies they are interested in will be "too much".

----

Freund: No, I don't think so. I think to some extent, I think it's a mistake [for Microsoft] to focus on building security software, because that's really done very well by independent companies. I really wish they'd focus on the core of their applications, and the core of the operating system. Still, every month, I'm getting this long list of vulnerabilities, and we've seen quicker and quicker exploits of these vulnerabilities, often within days. This is a long list of things they need to worry about before they try to compete.

Don't forget that cyber-security and, quote/unquote, "real-world security" aren't all that different. We know that very secure countries tend to spend a lot more on security. If you go to Switzerland, the trains are well lit, they're making a lot of things very secure, and still, they're spending a lot more on police than other countries. So normally, a secure environment creates more of an awareness. I firmly believe there's a need for an industry that focuses on creating a layer on top of everything else, of the operating system, of applications; and at the same time, there's just as much need of securing the applications, and the operating system, and frankly writing better code to avoid a lot of these security holes. I don't really think that the one thing is going to replace the other.

THG: In this new industry that you're talking about, does Microsoft play a leadership role, or does it play a membership role?

Freund: We'll see what role Microsoft plays. I think that it's very, very hard to do both at the same time. On the one hand, you've got an inherent conflict. There's a reason why, in the real world, we separate police and security guard functions from productivity functions. Think about it: You could come up with [a plan] to save some money here by having all the cab drivers all be cops. Then you can decide, are they going to pick up the fare or are they going to chase down the bad guy? You run into a lot of inherent conflict if you try to do both at the same time.

A good example was a couple of weeks ago, when Microsoft decided to look at buying one of the largest spyware companies, Claria. Within days, the spyware from that company disappeared from, or was reclassified in, the Microsoft anti-spyware product, because now, while they're talking and sitting around the table and thinking about buying this guy, they can't at the same time classify them as malicious. So you see that, very quickly, your resolve to provide good security gets compromised by conflicting business goals.